Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan - Anti-DDoS

An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Chinese Mainland Acceleration (CMA) mitigation plan must be used together with an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan. After you add your service that is deployed outside the Chinese mainland to an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan, you can use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan to accelerate service access for users in the Chinese mainland if no attacks occur.

Prerequisites

An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan is purchased
An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan is purchased.

For more information, see Purchase an Anti-DDoS Proxy instance.

Background information

After you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan together with an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan to protect your service, the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan can accelerate service access if no attacks occur. If your service is under attack, Anti-DDoS automatically switches the traffic to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan to mitigate the attacks.

ddos高防国际

Procedure

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select Outside Chinese Mainland.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
Add your service to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.
- You can add your website service on the Website Config page.
  In the left-side navigation pane, choose Provisioning > Website Config. On the Website Config page, click Add Website. On the page that appears, configure the parameters to add your website service. For more information, see Add one or more websites.
  Important
  When you configure the Instance parameter in the Enter Website Information step, you must select both an Anti-DDoS Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.
  You need to only configure the parameters in the Enter Website Information step. After your website service is added, you do not need to follow the instructions that are provided on the page to change the DNS record.
- You can add your non-website service on the Port Config page.
  In the left-side navigation pane, choose Provisioning > Port Config. On the Port Config page, click Create Rule. In the dialog box that appears, configure the parameters to add your non-website service. For more information, see Configure port forwarding rules.
  Important
  Before you add your non-website service to an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan, make sure that the service can be accessed by using domain names. If your non-website service can be accessed only by using IP addresses, you cannot add the service to an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.
  You must configure the same forwarding rules for both the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.
Create a network acceleration rule.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager. On the General Interaction tab of the Sec-Traffic Manager page, click Add Rule. In the dialog box that appears, configure the parameters to create a network acceleration rule. For more information, see Create a network acceleration rule.
After the network acceleration rule is created, Anti-DDoS generates a CNAME. You need to only change the DNS record of your domain name to map the domain name to the CNAME.
Important
The automatic traffic redirection is achieved based on the CNAME. Therefore, you must use the CNAME.
Change the DNS record of your domain name on the website of your DNS service provider.
To allow the network acceleration rule to take effect, you must change the DNS record of your domain name on the website of the DNS service provider and map the domain name to the CNAME provided by Sec-Traffic Manager. If your DNS service is provided by Alibaba Cloud DNS, you need to only change the DNS record in the Alibaba Cloud DNS console.
Important
After you change the DNS record of your domain name, the network acceleration rule takes effect. Before you change the DNS record, we recommend that you modify the hosts file on your computer to verify the network acceleration rule. This helps avoid incompatibility issues that are caused by inconsistent back-to-origin policies.
For more information about how to verify network acceleration rules, see Verify the forwarding configurations on your computer.
For more information about how to change the DNS records of a domain name, see Change the CNAME to redirect traffic to Sec-Traffic Manager.

Result

If no attacks occur after a network acceleration rule is created, service access of users in the Chinese mainland is accelerated by using the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan. If attacks occur, traffic is switched to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan for scrubbing. This way, only service traffic is forwarded to the origin server.